[PLUG] OT VLAN Setup between 2 Cisco switches

Mike C. mconnors1 at gmail.com
Fri Sep 11 05:13:17 UTC 2020


The config looks more like I'd expect to see it with the exception of these
omissions:

1. The camera ports don't have a vlan id set. I'd expect to see a config
statement like this for the camera ports:

switchport access vlan 20

2. No trunk switchport mode config statement. I'd expect to see a config
statement for port 50 that sets the port mode to trunk. This is the
equivalent to all the other ports set to access mode. "switchport mode
access"

switchport mode trunk



On Thu, Sep 10, 2020 at 5:32 PM Chuck Hast <wchast at gmail.com> wrote:

> Mike,
> I did all of the upgrades, there were some totally different
> screens after the final upgrade, I have uploaded a test
> config file for you to look at.
> *
> http://www.fileconvoy.com/dfl.php?id=ga1a6f14cc72ae98a100028043901eb98b17d036d59
> <
> http://www.fileconvoy.com/dfl.php?id=ga1a6f14cc72ae98a100028043901eb98b17d036d59
> >*
>
>
> On Wed, Sep 9, 2020 at 11:28 PM Chuck Hast <wchast at gmail.com> wrote:
>
> > Found the guide for the GUI. Now to see if it can show me how to
> > get SSH working so I can get to the CLI.
> >
> >
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf20x_sg20x/administration_guide/Cisco_200Sx_v1_4_AG.pdf
> >
> > On Wed, Sep 9, 2020 at 10:48 PM Chuck Hast <wchast at gmail.com> wrote:
> >
> >> Well the switches in question are at a remote site but
> >> I have another one of those switches here at home so
> >> I am getting it brought up to date and then will go after
> >> it. It is presently at factory so there is nothing that I have
> >> added to it but to upgrade the boot/firmware. At this
> >> moment I am stuffing the latest and greatest into it,
> >> then I am going to see if I can conquer the SSH thing.
> >> It is SUPPOSED to have a SSH server on board but
> >> so far I have not seen it. I see the client side but not
> >> the server side. But yet there is the CLI command list
> >> and I see comments about a box to be checked to
> >> enable the SSH server, (have yet to see said box).
> >> So I shall start with this one and get it going then I
> >> will use it as my reference with the other two.
> >>
> >>
> >> On Wed, Sep 9, 2020 at 10:25 PM Mike C. <mconnors1 at gmail.com> wrote:
> >>
> >>> At this point, it prolly makes more sense to just factory reset the
> >>> switch
> >>> and then just put all the camera ports in vlan 20 and then tag port 50
> >>> as a
> >>> member of vlan 20.
> >>>
> >>>  I'm not sure how old this OS is but when Cisco and other vendors first
> >>> started rolling out their GUIs, it wasn't uncommon for folks to get
> >>> confused while provisioning, troubleshooting and even for config files
> >>> being corrupted.
> >>>
> >>> So, it's just force of habit for me to look at the actual running
> config.
> >>>
> >>> I hope this helps you get this all sorted out soon.
> >>>
> >>> On Wed, Sep 9, 2020 at 6:30 PM Chuck Hast <wchast at gmail.com> wrote:
> >>>
> >>> > Mike,
> >>> > I have done all of the upgrades to those switches in order to
> >>> > obtain the coveted CLI access (there is no console port, but
> >>> > according to the docs there should now be a SSH server on
> >>> > the device with the upgrades to the latest code but so far no
> >>> > joy. I will go over all of that and figure out how to translate it
> >>> > to the GUI, and do it that way. Or figure out what is missing
> >>> > to SSH into the box. According to some of the documentation
> >>> > after I did the upgrade to 14.x there should be a ssh server
> >>> > box to tick in order to activate it but so far no joy.
> >>> >
> >>> > See my comments below regarding your observations:
> >>> >
> >>> > On Tue, Sep 8, 2020 at 7:54 PM Mike C. <mconnors1 at gmail.com> wrote:
> >>> >
> >>> > > Thanks Chuck,
> >>> > >
> >>> > > I did quite a bit of reading and although this configuration should
> >>> work,
> >>> > > it's outside of norms / best practices.
> >>> > >
> >>> > > The way I was taught and always configured vlans is that by default
> >>> all
> >>> > > ports and packets are untagged and are in the default vlan. Which
> is
> >>> > vlan 1
> >>> > > for Cisco.Then tag ports with the vlan you want them to be a part
> of.
> >>> > >
> >>> > > Your configuration is the exact opposite. You've tagged the default
> >>> vlan
> >>> > 1
> >>> > > on the trunk and left vlan 20 untagged
> >>> > >
> >>> > > Wow, I thought I was tagging the ports for VLAN 20 based on what I
> >>> see
> >>> > on the GUI. I will go back into it and see what I have screwed up.
> >>> >
> >>> >
> >>> > > switchport trunk native vlan 20
> >>> > > switchport default-vlan tagged .
> >>> > >
> >>> >
> >>> > This should be reversed. I was of the idea (based on what I see on
> the
> >>> > GUI) that VLAN 1 was the default  and administrative and it was not
> >>> > tagged...
> >>> >
> >>> > >
> >>> > > The  switchport default-vlan tagged command is to provide backward
> >>> > > compatibility support for devices that don't support 802.1 Q vlan
> >>> tags.
> >>> > In
> >>> > > effect, the port functions in both access & trunk mode at the same
> >>> time.
> >>> > >
> >>> > > But your switches are vlan aware, so this config is unnecessary
> and I
> >>> > think
> >>> > > the cause of your problems.
> >>> > >
> >>> >
> >>> > I shall look into it and figure out how to get rid of it from the GUI
> >>> if I
> >>> > cannot
> >>> > figure out why it does not allow a SSH server to run.
> >>> >
> >>> > >
> >>> > > What I recommend trying is disabling the  switchport default-vlan
> >>> tagged
> >>> > > .w. "no  switchport default-vlan tagged" command or GUI.
> >>> > >
> >>> > > And the removing the native vlan 20 on the trunk with the  "no
> >>> switchport
> >>> > > trunk native vlan 20" comand.
> >>> > >
> >>> > > This will set the default and the native vlan that was set to vlan
> 20
> >>> > both
> >>> > > to vlan 1.
> >>> > >
> >>> >
> >>> > I wonder if I would not be faster to just set the switch to factory
> and
> >>> > then
> >>> > go in and and set up the VLAN 20 ports.
> >>> >
> >>> > After reset all of the ports of course are on VLAN 1. I was thinking
> >>> that I
> >>> > was moving the camera ports to VLAN 20.
> >>> >
> >>> > >
> >>> > > Then run the command "switchport mode trunk allow vlan 20" which
> will
> >>> > make
> >>> > > the trunk port also a member of vlan 20 and will pass tagged
> packets
> >>> from
> >>> > > the camera ports that are only members of vlan 20.
> >>> > >
> >>> >
> >>> > I have got to figure out how to get to a CLI...
> >>> >
> >>> > >
> >>> > > Then change the camera ports from general to access. Those ports
> will
> >>> > only
> >>> > > be a member of 1 vlan and that is the pvid vlan 20. The port will
> >>> accept
> >>> > > both untagged and tagged packets from the cameras and only send
> >>> untagged
> >>> > > packets to the cameras.
> >>> > >
> >>> > > I will get those ports changed and see how that goes. Thank you
> >>> again for
> >>> > the guidance.
> >>> >
> >>> >
> >>> > > That should do the trick for you.
> >>> > >
> >>> > > Here's a link to the CLI reference for your switch,
> >>> > >
> >>> > >
> >>> >
> >>>
> https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf200e/command_line_reference/OL-22850.pdf
> >>> > >
> >>> > > As this is a more standard way of configuring vlans, this is the
> best
> >>> > > config to start with. Let's see what this gets you.
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > >
> >>> > > On Sun, Sep 6, 2020 at 9:39 AM Chuck Hast <wchast at gmail.com>
> wrote:
> >>> > >
> >>> > > > Mike,
> >>> > > > I finally got the switches to give up the config files. Getting
> >>> these
> >>> > > > things from firmware 1.2 to 1.4.11 took 4 firmware  upgrades and
> >>> > > > 1 boot upgrade. Below is the url to the switch config files
> >>> > > > *
> >>> > > >
> >>> > >
> >>> >
> >>>
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> >>> > > > <
> >>> > > >
> >>> > >
> >>> >
> >>>
> http://www.fileconvoy.com/dfl.php?id=g440c3055c46aeeae1000279093dea129f9edbcfc24
> >>> > > > >*
> >>> > > >
> >>> > > >
> >>> > > > On Sun, Aug 30, 2020 at 10:16 AM Chuck Hast <wchast at gmail.com>
> >>> wrote:
> >>> > > >
> >>> > > > > Well, I have been trying to get a backup file out of this so I
> >>> can
> >>> > > > > send it to you, but so far when I try to do http/https backup
> it
> >>> > > > > fails the only thing is I get a network error, and if I look in
> >>> the
> >>> > > > > switch logs, it says it cannot find the file.
> >>> > > > >
> >>> > > > > I have a SG300-28 at home, it was never this cantankerous,
> >>> > > > > I can do file backups and uploads to it with no issues
> >>> whatsoever.
> >>> > > > >
> >>> > > > > They must have cut some major corners somewhere with these
> >>> > > > > switches.
> >>> > > > >
> >>> > > > >
> >>> > > > > On Sun, Aug 23, 2020 at 11:30 AM Chuck Hast <wchast at gmail.com>
> >>> > wrote:
> >>> > > > >
> >>> > > > >> Well, I went to pull the backed up config files out of both
> >>> switches
> >>> > > > >> and got a "network failure." I setup a tftp server on my
> >>> > > > >> laptop and tried to go that way and got a "file not found"
> >>> error.
> >>> > > > >>
> >>> > > > >> Appears that I have to upgrade to a later rev of the
> >>> firmware/boot
> >>> > > > >> file. Both switches are presently at Rev 1.2.9.44, which has
> no
> >>> > > > >> ssh, and appears that it "likes" some old version of i.e. So
> >>> perhaps
> >>> > > > >> doing that upgrade will take care of these issues. Who knows.
> >>> > > > >> Once I do the upgrades I will let you know what happens, if it
> >>> still
> >>> > > > >> does not want to pass the vlan 20 to switch 02 I will pull the
> >>> > > > >> config file and send it. This rev level has NO CLI whatsoever,
> >>> > > > >> but it is installed in one of the later revs, got to get to
> >>> that.
> >>> > > > >>
> >>> > > > >>
> >>> > > > >> On Mon, Aug 17, 2020 at 11:38 PM Chuck Hast <wchast at gmail.com
> >
> >>> > wrote:
> >>> > > > >>
> >>> > > > >>> Let me get you the config files, let us not break our heads
> on
> >>> it
> >>> > > > >>> until you can look at them. I know on the web screens I set
> up
> >>> > > > >>> port 50 to have vlan 20 tagged on both ends. In my megre work
> >>> > > > >>> in this area, it seems that I always did the same thing, the
> >>> link
> >>> > > > >>> carrying the camera VLAN went on a separate path to keep
> >>> > > > >>> possible latence down due to competition for the link path.
> >>> > > > >>>
> >>> > > > >>> This is the same case the cameras are on VLAN 20, it is a
> >>> > > > >>> total network island because the stinking cameras call home,
> >>> > > > >>> and the best way to avoid it is just to put them on and
> island
> >>> > > > >>> network. This is the first time I can recall having this
> >>> issue. in
> >>> > > > >>> the past I just tagged the two ends of the link and my video
> >>> > > > >>> data went that direction. All the rest went with VLAN 1 on
> >>> > > > >>> the other link.
> >>> > > > >>>
> >>> > > > >>> On Mon, Aug 17, 2020 at 4:15 AM Mike C. <mconnors1 at gmail.com
> >
> >>> > wrote:
> >>> > > > >>>
> >>> > > > >>>> >
> >>> > > > >>>> > That is what I was thinking based on the other Cisco doc I
> >>> read
> >>> > > all
> >>> > > > I
> >>> > > > >>>> need
> >>> > > > >>>> > to do is set both of the two fibre links up as trunks and
> it
> >>> > > should
> >>> > > > >>>> work,
> >>> > > > >>>> > but there is another one that also said the part about
> >>> tagging.
> >>> > I
> >>> > > > >>>> have VLAN
> >>> > > > >>>> > 20 (the VLANS are 1, 10 and 20) on port 50 on both ends, I
> >>> have
> >>> > > also
> >>> > > > >>>> removed
> >>> > > > >>>> > it but still no joy.\
> >>> > > > >>>>
> >>> > > > >>>>
> >>> > > > >>>> Just to be clear, with port based vlans, which is what you
> >>> have, a
> >>> > > > port
> >>> > > > >>>> can
> >>> > > > >>>> only belong to 1 untagged vlan. So when you have a port set
> to
> >>> > > > untagged
> >>> > > > >>>> w.
> >>> > > > >>>> the pvid set, then that port will only be in the default /
> >>> native
> >>> > > > vlan,
> >>> > > > >>>> which is VLAN 1 on most network equipment vendors. This is
> >>> often
> >>> > > used
> >>> > > > as
> >>> > > > >>>> the management vlan.
> >>> > > > >>>>
> >>> > > > >>>> However, you can only have 1 untagged vlan per port. Any
> other
> >>> > vlans
> >>> > > > you
> >>> > > > >>>> want that port to handle must be tagged. Otherwise, all
> those
> >>> > > packets
> >>> > > > >>>> will
> >>> > > > >>>> be treated as they're part of the default / native vlan.
> >>> > > > >>>>
> >>> > > > >>>> Which seems to be what you have configured. VLAN 1 untagged
> >>> pvid
> >>> > on
> >>> > > > P49
> >>> > > > >>>> and
> >>> > > > >>>> VLAN 20 untagged pvid on P50 on both switches.
> >>> > > > >>>>
> >>> > > > >>>> And that makes me reconsider my earlier statement:
> >>> > > > >>>>
> >>> > > > >>>> Switch B
> >>> > > > >>>> >
> >>> > > > >>>> > 49 GE49 Enabled Disabled STP Root 20000 128 Forwarding
> >>> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-97 0 1
> >>> > > > >>>> > 50 GE50 Enabled Disabled STP Alternate 20000 128
> Discarding
> >>> > > > >>>> > 32768-f0:29:29:f5:43:bd 128-98 0 0
> >>> > > > >>>> > This one says discarding for port 50, so suspect that is
> the
> >>> > > issue.
> >>> > > > >>>> >
> >>> > > > >>>>
> >>> > > > >>>> Normally, the way this is designed and configured when
> there's
> >>> > > > multiple
> >>> > > > >>>> uplinks is to create a LAG or MLT, a trunk group that
> carries
> >>> all
> >>> > > > VLANs.
> >>> > > > >>>> This provides more bandwidth and failover redundancy.
> >>> > > > >>>>
> >>> > > > >>>> But you haven't said anything about a LAG configuration and
> >>> if you
> >>> > > > don't
> >>> > > > >>>> have any traffic traversing P50, if memory serves until you
> >>> take
> >>> > the
> >>> > > > >>>> fibre
> >>> > > > >>>> link down on P49. Is that correct?
> >>> > > > >>>>
> >>> > > > >>>> Therefore, if you want this to work you will have to tag
> vlan
> >>> 10,
> >>> > 20
> >>> > > > on
> >>> > > > >>>> port 49 and port 50 and you will have only 1 active uplink
> >>> over
> >>> > > which
> >>> > > > >>>> all
> >>> > > > >>>> VLANs traverse.
> >>> > > > >>>>
> >>> > > > >>>> Then in the event of a failure of the active uplink,
> Spanning
> >>> Tree
> >>> > > > will
> >>> > > > >>>> reconfigure and use P50.
> >>> > > > >>>>
> >>> > > > >>>> Does that make sense at all? This is difficult to
> >>> troubleshoot and
> >>> > > > >>>> explain
> >>> > > > >>>> over email without the configs.
> >>> > > > >>>> _______________________________________________
> >>> > > > >>>> PLUG: https://pdxlinux.org
> >>> > > > >>>> PLUG mailing list
> >>> > > > >>>> PLUG at pdxlinux.org
> >>> > > > >>>> http://lists.pdxlinux.org/mailman/listinfo/plug
> >>> > > > >>>>
> >>> > > > >>>
> >>> > > > >>>
> >>> > > > >>> --
> >>> > > > >>>
> >>> > > > >>> Chuck Hast  -- KP4DJT --
> >>> > > > >>> I can do all things through Christ which strengtheneth me.
> >>> > > > >>> Ph 4:13 KJV
> >>> > > > >>> Todo lo puedo en Cristo que me fortalece.
> >>> > > > >>> Fil 4:13 RVR1960
> >>> > > > >>>
> >>> > > > >>>
> >>> > > > >>
> >>> > > > >> --
> >>> > > > >>
> >>> > > > >> Chuck Hast  -- KP4DJT --
> >>> > > > >> I can do all things through Christ which strengtheneth me.
> >>> > > > >> Ph 4:13 KJV
> >>> > > > >> Todo lo puedo en Cristo que me fortalece.
> >>> > > > >> Fil 4:13 RVR1960
> >>> > > > >>
> >>> > > > >>
> >>> > > > >
> >>> > > > > --
> >>> > > > >
> >>> > > > > Chuck Hast  -- KP4DJT --
> >>> > > > > I can do all things through Christ which strengtheneth me.
> >>> > > > > Ph 4:13 KJV
> >>> > > > > Todo lo puedo en Cristo que me fortalece.
> >>> > > > > Fil 4:13 RVR1960
> >>> > > > >
> >>> > > > >
> >>> > > >
> >>> > > > --
> >>> > > >
> >>> > > > Chuck Hast  -- KP4DJT --
> >>> > > > I can do all things through Christ which strengtheneth me.
> >>> > > > Ph 4:13 KJV
> >>> > > > Todo lo puedo en Cristo que me fortalece.
> >>> > > > Fil 4:13 RVR1960
> >>> > > > _______________________________________________
> >>> > > > PLUG: https://pdxlinux.org
> >>> > > > PLUG mailing list
> >>> > > > PLUG at pdxlinux.org
> >>> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> >>> > > >
> >>> > > _______________________________________________
> >>> > > PLUG: https://pdxlinux.org
> >>> > > PLUG mailing list
> >>> > > PLUG at pdxlinux.org
> >>> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> >>> > >
> >>> >
> >>> >
> >>> > --
> >>> >
> >>> > Chuck Hast  -- KP4DJT --
> >>> > I can do all things through Christ which strengtheneth me.
> >>> > Ph 4:13 KJV
> >>> > Todo lo puedo en Cristo que me fortalece.
> >>> > Fil 4:13 RVR1960
> >>> > _______________________________________________
> >>> > PLUG: https://pdxlinux.org
> >>> > PLUG mailing list
> >>> > PLUG at pdxlinux.org
> >>> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >>> >
> >>> _______________________________________________
> >>> PLUG: https://pdxlinux.org
> >>> PLUG mailing list
> >>> PLUG at pdxlinux.org
> >>> http://lists.pdxlinux.org/mailman/listinfo/plug
> >>>
> >>
> >>
> >> --
> >>
> >> Chuck Hast  -- KP4DJT --
> >> I can do all things through Christ which strengtheneth me.
> >> Ph 4:13 KJV
> >> Todo lo puedo en Cristo que me fortalece.
> >> Fil 4:13 RVR1960
> >>
> >>
> >
> > --
> >
> > Chuck Hast  -- KP4DJT --
> > I can do all things through Christ which strengtheneth me.
> > Ph 4:13 KJV
> > Todo lo puedo en Cristo que me fortalece.
> > Fil 4:13 RVR1960
> >
> >
>
> --
>
> Chuck Hast  -- KP4DJT --
> I can do all things through Christ which strengtheneth me.
> Ph 4:13 KJV
> Todo lo puedo en Cristo que me fortalece.
> Fil 4:13 RVR1960
> _______________________________________________
> PLUG: https://pdxlinux.org
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list